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Abstract 

Let C be a depth-3 circuit with n variables, degree d and top fanin k (called £I±£(/c,d, n) 
circuits) over base field F. It is a major open problem to design a deterministic polynomial time 
blackbox algorithm that tests if C is identically zero. Klivans & Spielman (STOC 2001) observed 
that the problem is open even when k is a constant. This case has been subjected to a serious 
study over the past few years, starting from the work of Dvir & Shpilka (STOC 2005). 

We give the first polynomial time blackbox algorithm for this problem. Our algorithm runs in 
time po\y(n)d k , regardless of the base field. The only field for which polynomial time algorithms 
were previously known is F = Q (Kayal & Saraf, FOCS 2009, and Saxena & Seshadhri, FOCS 
2010). This is the first blackbox algorithm for depth-3 circuits that does not use the rank based 
approaches of Karnin k Shpilka (CCC 2008). 

We prove an important tool for the study of depth-3 identities. We design a blackbox poly- 
nomial time transformation that reduces the number of variables in a SilE(/c, d, n) circuit to k 
variables, but preserves the identity structure. 



* Sandia National Laboratories is a multi-program laboratory managed and operated by Sandia Corporation, a 
wholly owned subsidiary of Lockheed Martin Corporation, for the U.S. Department of Energy's National Nuclear 
Security Administration under contract DE-AC04-94AL85000. 
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1 Introduction 



Polynomial identity testing (PIT) is a major open problem in theoretical computer science. The 
input is an arithmetic circuit that computes a polynomial p(x%, X2, ■ ■ ■ , x n ) over a base field F. We 
wish to check if p is the zero polynomial, or in other words, is identically zero. We may be provided 
with an explicit circuit, or may only have blackbox access. In the latter case, we can only evaluate 
the polynomial p at various domain points. The main goal is to devise a deterministic blackbox 
polynomial time algorithm for PIT. One of the main reasons for interest in this problem is the 
connection between PIT algorithms and circuit lower bounds (Heintz & Schnorr [HS80], Kabanets 
& Impagliazzo [KI03] and Agrawal |Agr05, Agr06|). Refer to surveys for a detailed treatment of 



PIT [Sax09llAS09] . 

Since the problem of PIT is very hard, restricted versions of it have been studied. One common 
and natural variant is that of the bounded depth circuits. Results of Agrawal & Vinay [AV08J 
justify this restriction. They essentially show that an efficient blackbox identity test for depth- 
4 circuits leads to (almost) the complete resolution of PIT and also provides exponential lower 
bounds. Raz [RazlO] showed that even lower bounds for depth-3 circuits imply super-polynomial 
lower bounds for general arithmetic formulas. Not surprisingly, the problem of PIT is still wide 
open for the special case of depth-3 circuits. 

A depth-3 circuit C over a field F is of the form C(x\, . . . ,x n ) = Yli=i T%, where 2$ (a multi- 
plication term) is a product of at most d linear polynomials with coefficients in F. The size of the 
circuit C can be expressed in three parameters: the number of variables n, the degree d, and the 
top fanin k. Such a circuit is referred to as a SIIS(fc,d, n) circuit. Even when the top fanin k is 
constant, blackbox polynomial time algorithms were not knowrQ. 

The study of PIT algorithms for depth-3 circuits was initiated by Dvir &: Shpilka |DS05j . who 
gave a quasi-polynomial time non-blackbox algorithm. The first non-trivial blackbox algorithm was 
given by Karnin & Shpilka [KS08j. There have been many recent results in this area by Kayal & 
Saxena [KS06J , Saxena & Seshadhri [SS091 ISSlOa] . and Kayal & Saraf [KS09b]. Our main result is 
the first polynomial time blackbox tester for bounded top fanin depth-3 circuits over any field. 

Theorem 1 There exists a deterministic blackbox poly(nd k ) time algorithm for PIT on T,UT,(k, d, n) 
circuits, regardless of the base field F. 

Table [1] details the time complexified of previous algorithms. For convenience, we do not give 
the list of all algorithms, but only the important milestones for the case of arbitrary fields. We 
stress that the time complexities bound the number of bit operations. 

Table 1: Depth-3 blackbox PIT algorithms over any field 



Paper Time complexity 

[KB08j nd ^io g «-*d) 

[SS091 ISSlOaj nd k2l °z d 

This paper nd k 



The only field for which such polynomial time algorithms were previously known was Q. This 
was a breakthrough result of Kayal & Saraf [KS09b], which was followed by improvements in [SS10a| . 
These used beautiful incidence geometry theorems for the reals, but analogues of these results are 
either unknown or false for other fields. Since the best running time of these algorithms is poly(nd fc ), 
we get an improved algorithm for this case as well. 

As Table [1] shows, even for the simple case of k = 3 and ¥ = ¥2, no deterministic polynomial- 
time blackbox PIT algorithm was known. Kayal & Saxena [KS06j gave a non-blackbox algorithm 

1 Until this work. 

2 Technically, the running times are polynomial in the stated times. 
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(over all fields), which runs in poly (nd k ) time |KS0 6j. Theorem [T] closes the gap between blackbox 
and non-blackbox algorithms. 

Throughout the following discussion, we will think of k as a constant. Hence, when we refer to 
polynomial time, the dependence on k will be ignored. 

1.1 Variable reduction 

Dvir &; Shpilka [DS05] introduced a powerful idea. They defined the notion of the rank of a 
d, n) circuit. We will not explain this precisely here but merely say that this is the number of 
"free variables" in a circuit. They proved the remarkable fact that the rank of every identity H 
is small. This led to the reduction of PIT for general EIIS(A;, d, n) circuits to PIT on SIIS circuits 
over few variables. They developed a non-blackbox quasi-polynomial time algorithm through their 
rank bounds. Karnin &: Shpilka [KS08 used the idea of rank to devise blackbox algorithms for SIIS 
circuits. Their algorithms had a running time that depended exponentially in the rank. Hence, con- 
stant rank bounds would lead to polynomial time algorithms. Unfortunately, Kayal &; Saxena [KS06J 
gave constructions (extended in [SS09] ) showing that for SnS identities over finite fields, the rank 
could be unbounded (as large as klogd). This means that the best running time one could hope 
for over finite fields via this approach was d klosd . Tighter rank bounds from [SS091 ISSlOaj gave 
algorithms that almost match this running time. For the special case when the field F is Q, Kayal 
& Saraf [KS09b| proved a constant rank bound, establishing the first polynomial time blackbox 
algorithm for this case. Refer to [SSlOa] for a more detailed treatment of rank bounds. 

Until this work, all blackbox algorithms relied solely on the rank approach of Karnin & Sh- 
pilka [KS08]. As the examples of [KS06] show, even for the case of F2, a new idea is required to get 
polynomial time algorithms. We provide the first blackbox algorithm that circumvents the problem 
of large rank identities. Interestingly, one of the main ideas has roots in the non-blackbox poly- 
nomial time algorithm of Kayal & Saxena [KS06J. This algorithm had a completely different idea 
and used generalizations of the Chinese Remainder Theorem. These algebraic ideas were further 
developed in a previous work of the authors [SSlOaJ. Karnin & Shpilka [KS09aJ used extractors of 
Gabizon & Raz [GR05] to construct their blackbox algorithm. We combine these extractor ideas 
with the algebraic framework to develop a very useful algorithmic tool. Any EnE(fe, d, n) circuit 
can be converted into a small family of SnS circuits over just k variables. The original circuit is 
an identity iff all circuits in the family are identities. This transformation requires no knowledge of 
the circuit and has a running time of poly (kdn). 

Theorem 2 Let F be an arbitrary field such that |F| > dnk 2 . There is a deterministic algorithm 
that takes as input a triple (k,d,n) of natural numbers and in time poly(kdn), outputs a set of linear 
maps : F[xi, . . . , x n ] — > ¥[y%, . . . , (1 < i < poly(kdn) ). A T,JlE(k, d, n) circuit C is identically 
zero iff Vi,y t (C) = 0. 

Remark: The size restriction made in the theorem is really no loss of generality. In the blackbox 
model, it is standard to assume that we can query the given circuit on points in an extension field. 
If F is small, then we just need to move to a large enough extension field F'. Such an extension 
can be found by a deterministic poly (log |F'|) time method of Adleman & Lenstra [AL86], or even 
by a slower brute-force method of finding a suitable irreducible polynomial over F. We do all our 
computations in this extension field F'. Henceforth, for convenience, we will assume that the field 
has size > dnk 2 . 

Observe the power of this theorem. Regardless of n,d or F, every SnS(3, d, n) non-identity 
can be converted to an "equivalent" non-identity involving just 3 variables. The time required to 
generate this transformation is truly polynomial in the size of the circuit. We believe that this 
theorem will be useful in reaching the holy grail of a truly polynomial time PIT algorithm for SnS 
circuits. 

3 A small caveat: there are some technical restrictions of simplicity and minimality. 
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This theorem has a uniform treatment of all fields, and is hence stronger than rank bounds. The 
circuits ^i(C) only involve k variables. Using some standard PIT techniques, we can construct the 
following hitting set. This proves Theorem [TJ 

Theorem 3 Given the triple of natural numbers (k,d,n), a hitting set TL C F" for T,UT,(k,d,n) 
circuits can be constructed in deterministic poly{nd k ) time. In other words, for every non-zero 
d, n) circuit C over F, there is some vector (ai, . . . , a n ) G H such that C(a\, . . . , a n ) 7^ 0. 

We make a somewhat philosophical remark. By Schwartz-Zippel we know that PIT for a depth-3 
circuit C(xi, ... be done by feeding an n-wise independent random distribution. The proof 

of Theorem [2] shows that for T,UT,(k,d, n) circuits, /c-wise independent random distribution suffices. 

1.2 History 

The first randomized polynomial time PIT algorithm was given (independently) by Schwartz [Sch80j 
and Zippel |Zip79|. Algorithms using less randomness were devised by Chen &: Kao [CK97], Lewin 
&: Vadhan [LV98j. and Agrawal &: Biswas [AB99J. For depth-2 circuits, there has been a long line 
of work studying blackbox PIT algorithms [BOT88I ICDCK9H IWer941 iKSMl ISS961 IGKS901 IKSTU] . 
Raz &: Shpilka studied non-blackbox algorithms for non-commutative formulas [RS05 . 

Klivans & Spielman (KSOlj first observed that deterministic PIT was open even for depth-3 
circuits with bounded top fanin. Progress towards this was first made by the quasi-polynomial time 
algorithm of Dvir & Shpilka [DS05J. The problem was resolved (in the non-blackbox setting) by a 
polynomial time algorithm given by Kayal & Saxena (KS061. with a running time exponential in the 
top fanin. 

The remaining history of depth-3 PIT has been explained quite a bit in the previous sections. 
Identity tests are known only for very special depth-4 circuits [AM071 ISax08l |SV09, KMS V10] , 
Agrawal <fc Vinay [AV08] showed that an efficient blackbox identity test for depth-4 circuits will 
actually give a quasi-polynomial blackbox test, and exponential lower bounds, for circuits of all 
depths that compute low degree polynomials. Thus, understanding depth-3 identities seems to be a 
natural first step towards the goal of PIT and circuit lower bounds. 

At the end, we would just like to indicate how all the depth-3 PIT results are interrelated and 
how they collectively influenced progress in this problem. The rank notion of Dvir &: Shpilka [DS05 , 
the Chinese Remaindering of Kayal & Saxena }KS06j , the rank preserving subspaces of Karnin &; 
Shpilka [KS09a|, the series of improved rank bounds by the authors and Kayal & Saraf [SS09, KS09b, 
SSlOaJ: each paper built of previous results and provided enough food for thought for subsequent 
papers. This paper also builds on the edifice constructed so far. 

1.3 Organization 

In Sectional we give some basic definitions and give an intuitive overview of our approach. Section [3] 
gives some of the tools that were developed in previous works. In Section^ we give our main analysis 
and prove Theorems [2] and [3j 

2 Preliminaries and Intuition 

We will denote the set {1, ... ,n} by [n]. We fix the base field to be F, so the circuits compute 
multivariate polynomials in the polynomial ring 1Z := F[xi, . . . ,x n ]. We use F* to denote F \ {0}. 
For any subset S C [k], the sub-circuit Cs is Sses T s . For an i E {0, . . . , k — 1}, define [i]' := [k] \ [i]. 
Conventionally, [0] := and := 0. 

A linear form is a linear polynomial in TZ with zero constant term. We will denote the set of all 
linear forms by L(1Z) := {J27=i a « x * I °i> • • • > a « e Clearly, L(1Z) is a vector (or linear) space over 
F and that will be quite useful. Much of what we do shall deal with multi-sets of linear forms (also 
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product of linear forms) and equivalence classes inside them. A list of linear forms is a multi-set of 
forms with an arbitrary order associated with them. 

Definition 4 We collect some important definitions from JSS09]: 

[Multiplication term and operators L(-) &: M(-)] A multiplication term / is an expression 
in 1Z given as (the product may have repeated I's), f := c • n^gs^? where c € F* and S is a list of 
nonzero linear forms. The list of linear forms in /, L{f), is just the list S of forms occurring in the 
product above. For a list S of linear forms we define the multiplication term of S, M(S), as \\i eS i 
or 1 if S = 4>. 

circuits] An T,IlT l (k,d) circuit C is a sum of k multiplication terms of degree d, C = 
Yli=i T%- The list of linear forms occurring in C is L(C) := UiG[fc] ^(^i)- Note that L{C) is a list of 
size exactly kd. (For the purposes of this paper Ti 's are given in circuit representation and thus the 
list L(Ti) is unambiguously defined from C.) 

[Span sp(-) and Rank rk(-)] For any S C L(1Z) we let sp(S) C L(1Z) be the linear span of the 
linear forms in S over the field F. (Conventionally, sp(0) = {0}.) We use rk(S) to denote the rank 
of S, considered as vectors in ¥ n . 



2.1 Intuition and main ideas 

We give a high-level description of the main ideas used in this paper. Some notions are deliberately 
left vague, and others may even be formally incorrect. Nonetheless, this sketch is "morally" correct 
and, at some level, shows how the authors arrived at their conclusions. 

How do we convert a high variate SI1S(A;, d, n) circuit C into a low variate one and still preserve 
the structure of CI We wish to do this by a linear transformation ^ : ¥[x\, . . . , x n ] — > F[yi, . . . , ye], 
where t is comparable to k. When the rank of the linear forms in C is itself comparable to k, this can 
be done quite directly. We will get a circuit \&(C) that is essentially isomorphic to C. For identities 
of large rank, such a transformation seems impossible. Any linear transformation will necessarily 
destroy some of the structure of C. This is because forms that were independent in C are now 
dependent in ^?(C). But maybe we are trying too hard to preserve the dependencies in C? After 
all, we want a transformation that sends identities to identities. (And, of course, non-identities to 
non-identities. Surely, satisfying only the former condition is not too hard.) We are not particularly 
bothered about how well ^(C) preserves the exact structure of C. 

This is where the Chinese Remaindering techniques of [KS06J and the ideal framework of [SSlOaJ 
enters the picture. For any non-identity C, it was shown that there exists an ideal I generated by 
products of forms in L(C) that "certifies" that C is non-zero. Essentially, the polynomial C is not 
in ideal I and hence, must be non-zero. In reality, it is much more complicated than that, but for 
the sake of explanation, it captures the main idea. The forms involved in generating / have rank at 
most k. This gives a low-dimensional certificate of the non-zeroness of C. 

We argue that if can selectively preserve the forms generating /, then *S>(I) remains a certificate 
for ^(C). In other words, ^(C) will not be in ^(I). All that is needed is, to find such a that 
is independent of C (since we are interested in blackbox algorithms). Enter [KS09aj. They develop 
the notion of rank-preserving subspaces. These can be viewed as linear transformations from a 
large-dimensional vector space S\ to a smaller dimensional one 1S2 . These preserve the structure 
(in terms of linear independence) of specific low dimensional subspaces of S\. Furthermore, they 
can be constructed in a blackbox manner using extractors of [GR05J. To make this work, we will 
actually need a set of transformations, and one \& will not suffice. 

The circuit ^?(C) is of the form £![£(&;, d, k). This has only a constant number of variables, and 
the Schwartz-Zippel lemma [Sch80, Zip79] gives a simple blackbox algorithm for such circuits. This 



is combined with the transformation ^ to construct the final hitting set. 
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3 Necessary tools 



In this section, we list out the basic tools that we need. In the first part, we explain the low-rank 
ideal certificates for the non-zeroness of C. This requires some technical definitions, before we can 
state the exact theorem. In the second part, we give the key lemma of the Vandermonde matrix 
transformation used in [KS09aj. Once these tools are set in place, we will explain how the variable 
reduction works. 

3.1 Low rank certificates 

This framework and the following theorems were developed in jSSlOa) . The definitions are extremely 
technical, and may appear to be somewhat unmotivated. These are needed to precisely formalize 
the notion of the low-rank certificate for non-zeroness. We reproduce many of the definitions and 
details for convenience. For more details, the interested reader should see the full version of [SSlOaJ 
( [S5IQE] ). 

Definition 5 (Ideal) An ideal I ofTZ with generators fi,i € [m], is the set {X)ie[ m ] ' s e ^} 

and is denoted by the notation (fx, ■ ■ ■ , f m ) ■ For an f £ TZ, the three notations f = 0(mod I), 
f = 0(mod /i, . . . , f m ) and f £ I, mean the same. 

(Radical-span) Let S := {/i, . . . , f m } be multiplication terms generating an ideal I. We asso- 
ciate a linear space to S called the radical span, radsp(S) := sp(L(fi) U . . . U L(/ m )). 

When the set of generators S are clear from the context we will also use the notation radsp(I) . 
Similarly, radsp(I, f) would be a shorthand for radsp(S U {/}). 

(Nodes) Let f be a multiplication term and let L be an ideal generated by some multiplication 
terms. As the relation "similarity mod radsp(I)" is an equivalence relation on L(TZ), it partitions 
the list L{f) into equivalence classes. 

[repj(/)] For each such class, pick a representative £i and define their collection repj(f) := 
{£i, . . . ,£ r }. (Note that form can also appear in this set, it represents the class L(f) n radsp(L).) 

[nod/(/)] For each £i 6 repj(f), we multiply the forms in f that are similar to ti mod radsp(L). 
We define nodes of / mod / as the set of polynomials nodi(f) := {M(L(/) n (F*^+ radsp(L))) \ £ 6 
repj( f)}. (Remark: When L = {0}, nodes of f are just the coprime powers- of- forms dividing f .) 

(Paths) Let L be an ideal generated by some multiplication terms. Let C = X^ie[fc] ^ e a 
SIIS(A;,(i) circuit. Let Vi be a sub-term of Ti (i.e. L(vi) C L(Ti)), for all i € [k]. We call the 
tuple (I,V\, . . . a path of C mod / if, for all i € [k], Vi € nodn jVl ^ ..., Vi _ x )(Ti). It is of length k. 
(Remark: We have defined path p as a tuple but, for convenience, we will sometimes treat it as a 
set of multiplication terms, eg. when operated upon by sp(-), {•), radsp(-), etc.) 

Conventionally, when k = the circuit C has just "one" gate: 0. In that case, the only path C 
mod I has is (I), which is of length 0. 

Observe that the product of polynomials in nod/(/) just gives / (upto a constant multiple). Also, 
modulo radsp(J), each node is just a form-power £ m . In other words, modulo radsp(J), a node is a 
rank-one term. Figure [T] should clarify the definition. The oval bubbles represent the list of forms in 
a term, and the rectangles enclose forms in a node. The arrows show a path. Starting with / as the 
zero ideal, v\ := x\ , V2 := X2(x2 + 2x±), and v% := (x4 + X2)(x4 + 4:X2 — xi)(x4 + X2 + xi)(x4 : + X2 — 2xi) 
form a path. Initially the path is just the zero ideal, so x\ is a node. Note how V2 is a power of X2 
modulo radsp(vi) and v% is a power of X4 modulo radsp(t>i, V2). 

Theorem 25 of [SSlObJ claims that in a non-zero depth-3 circuit C, there always exists a path 
"certifying" the non-zeroness of C. Essentially, there is a path p such that modulo p, the circuit C 
reduces to a single non-zero multiplication term. The theorem is stated for general settings, but we 
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Ti T 2 T 3 

Figure 1: Nodes and paths in C = T\ + T 2 + T3 + . . . 

will always assume that / = (0). Note that the rank of radsp(p) is at most (k — 1), since each node 
can increase the rank by at most 1 and since one term is to be left uncancelled. 

Theorem 6 (Certificate for a Non-identity) Let I be an ideal generated by some multiplication 
terms. Let C = Y2ie[k] -^i be a SnS(/c, d) circuit that is nonzero modulo I. Then 3i £ {0, . . . , k — 1} 
such that Cm mod I has a path p satisfying: Cuy = a ■ Ti + \ ^ {mod p) for some a € F*. 

3.2 The Vandermonde linear transformation 

Linear transformations based on the Vandermonde matrix are used widely, for eg. in [GR05| to 
construct linear seeded extractors for affine sources. This was adapted in }KS08j to design depth-3 
blackbox PIT algorithms. We will need ideas from Lemma 6.1 from [GR05J to construct linear 
transformations that reduce the dimension of a space but still preserve the structure of low rank 
subspaces. 

We will design a linear transformation $ g : F n — > ¥ k for any (3 G F as follows. Let V n ^k,i3 denote 
the n x k Vandermonde matrix. This is defined as (T4ifcfl)iJ := fi 13 ■ We have 

n 

(61 . . . b k ) = (ai . . . o„) • V n , k ,p (b r = a iP Ti ) CO 

i=l 

So far, ^ r has been seen as a linear transformation. But we wish to eventually understand its 
action on ideals. For that reason, it is necessary to view as a linear homomorphism from 
1Z = ¥[x±, . . . , x n ] to 1Z' := ¥[yi, . . . ,yk\- This means that ^> p maps 7Z to 7l! and preserves the ring 
operations of addition and multiplication. We can equivalently define ^ p as 

k 

Vi€[n], VpiXi^Yt^Vj ( 2 ) 
i=i 

We define ^ p{ct) = a for all a 6 F. This (naturally) defines the action of on a// the elements 
of 7Z, that preserves the ring operations of 1Z. We now state a key property of \& (Lemma 6.1 
of [GR05 ). For completeness, a proof is provided in Appendix lAl 

Lemma 7 preserves /c-rank) Let : TZ — > 1Z' be the linear homomorphism defined by 
Equation Let S C L{TZ) be a subset of linear forms with rk(S) < k. For all but nk 2 values of 
P, rk{^p(S)) = rk(S). 

The homomorphism ^ p depends solely on the triple of natural numbers (k, d, n) and is computable 
in polyikdn) time. 

Remark: At first sight ^ g might seem independent of d but recall that we assume |F| > dnk 2 . 
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4 Analysis 



With all the basic definitions in place, we are now ready to convert any £nE(/c, d, n) non-identity 
C into a SHE (A;, d, k) non-identity. This will be done through a two-step process. We will use the 
properties of ^ p to prove a major generalization of Lemma [71 Not only does '3/ a preserves small 
subspaces, but it also maintains the structure of ideals having low radical-span. This leads to the 
second step. We deduce that * p must preserve all paths of C, since paths have a low radical span. 
Since C has a certifying path p, we show that ^ p{p) must also be a certificate for ^(C). 

4.1 The moral nature of ^Z^: it maintains ideals 

We study the action of ^ on ideals. Our main lemma is the following. 

Lemma 8 (\Pg preserves ideals) Let fi, . . . , f m , f be multiplication terms in 1Z. Define the ideal 
I := . . . , f m ). Let the span sp{L{f) U radsp(L)), over ¥, be of rank at most k. Then, for all but 
nk 2 values of 0: fel iffVp(f) G (Vp(fi), . . . , */?(/m)}- 

To prove this, we need to show that the map \l , ( g is an isomorphism on small enough subrings 
of 1Z. This is a fairly direct consequence of Lemma [7J For £\, . . . ,£ k £ L(7Z), ¥[£±, . . . ,£k] C 1Z 
denotes the set of all polynomials g(£\, ■ ■ ■ ,£ k ), where g E ¥[y%, . . . ,y k ]. This is the subalgebra of 1Z 
generated by {h, . . . ,£ k }. 

Lemma 9 Let £\, . . . ,£ k € L(7Z) be k linearly independent forms. Then, for all but nk 2 values of 
f3, ^ a induces an isomorphism between ¥[£1, . . . ,£ k ] and 1Z' . 

Proof. Let B denote ¥[£\, ... ,£ k ] and set S := {£\, . . . ,£ k } C L(7Z). It will be convenient to define 
to be the map induced by on B. We will show that §p : B — » 1Z' is an isomorphism. Since 
S is of rank k, B is isomorphic to 1Z' (under an invertible linear transformation of variables). To 
show that the homomorphism is an isomorphism, it suffices to prove that <3?^ is onto. We need 
to show that for any g(yi, . . . , y k ) € 1Z', there exists p E B such that $>p(p) = g. 

For the set S, choose a value of j3 other than the nk 2 values given by Lemma [7J We have 
rk($«(S')) = rk(5) = k. Therefore, for each yi, there exist constants ay € F such that = 
Y^j &j$p(£j)- By the linearity of <&p, yi = &p(J2j otj£j). Hence, for each yi, there is some linear 
form ti S L(B), such that $>p(ti) = yi. The polynomial p := g{t\, . . . ,t k ) is certainly in B. Since <3>g 
is a homomorphism, <&p(p) = g. ■ 

We can now complete the proof of Lemma [HJ 
Proof. If / G J, then / = Ylie[m] 3*/*' where gi G 7?.. Since Vl^ is a homomorphism, ^p(f) = 

Eie[m] *p(9i)Mfi)- So */*(/) e OM/i), ■ • • , ^(/m))- 

Let the span sp(L(/) U radsp(I)) over F be generated by linear forms £\,... ,£ r S L{1Z). Since 

the rank of sp(L(/) U radsp(/)) is at most k, r < k. Choose arbitrary forms £ r +i, ■ ■ ■ ,£ k such that 

£\,...,£ k are linearly independent. Define subring (of 7Z) B := ¥[£%, . . . ,£ k \. Applying LemmaO we 

get that for all but nk 2 values of j3, induces an isomorphism : B — > TZ' . Choose any such f3 

and fix the unique elements t\, . . . , t k G B such that $p(ti) = y% for all i G [k]. 

Suppose G (*jg(/i), • • • ,^p(fm))- Then there exists g 1 ,... ,g m e TZ' such that, 

m 

Each <7j is a polynomial in (7/1, . . . , y k ) over F. So we can define the polynomial, 

m 

h := / - ^5i(*l> • ••,**;)■ fi- 

i=l 
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Note that / and /j's are multiplication terms generated by forms in the sp(£\, . . . ,£k)- Hence all of 
these are in B. The polynomials gt(ti, . . . , tk) are also in B, so h G B. Since <&g is a homomorphism, 

m m 

$ p (h) = $ fi (f) - <?*($/?(*i), • • • , • = M/) - X>(i/i, ■ Vpifi) = o 

i=l i=l 

But $a is an isomorphism, so h = 0. This implies / = 532=1 fl^ij • • • jifc) • fi- Note that the 
evaluations of the g^s are in 1Z. Thus, / € (/i, . . . , / m ). ■ 

4.2 Variable reduction 

We come to the main part where we merge the path certificates with the properties of 1/ g to 
prove the variable reduction. We will need a technical cancellation lemma from [SSlOb] . proven in 
Appendix |Bj 

Lemma 10 Let /i, . . . , f m be multiplication terms generating an ideal I, let I G L(7Z) and g G TZ. 
If £ £ radsp(I) then: tg G I iff g G I . 

We now state our main variable reduction lemma. This, combined with the polynomial time 
constructions of the ^'s, completes the proof of Theorem [2j 

Lemma 11 Let C be a SI1E(A;, d,n) circuit and UCF such that \U\ = dnk 2 + 1. Then C = iff 
V/3 G U, typ(C) = 0. 

Proof. Since ^fg is a homomorphism, C = implies V/3, *$>g(C) = 0. 

Suppose C / 0, but V/3 € £7, % p(C) = 0. Applying Theorem [6] on C (with 7 := (0)) yields a 
certifying path p. Thus, 3i £ {0, . . . , k — 1} such that Cm mod 7 has a path p satisfying, 

Cuy = a • Ti + \ j£ (mod p), for some a G F*. (4) 

Note that ]5 is basically a sequence of multiplication terms such that rk(radsp(p)) < k. Let g := 
M(L{Ti + \) n radsp(p)). This is just the product of all forms in Tj+i that are in radsp(p). Note 
that Ti + \/g is a product of forms not in radsp(p). By repeated applications of Lemma fTP"! since 
Ti+x £ (p), g £ (p)- The rank of sp(7(g) U radsp(p)) is less than k. Indeed, for any linear form 
£ G L(Tj + i), the rank of {£} U radsp(p) is at most k. 

We will now collect a set B of "bad" ft values. By Lemma [3 for each £ £ L(Tj+i), there are at 
most nk 2 values of /3 such that \P g does not preserve rk({£} U radsp(p)). Add all of these values to 
B. The total number of all these bad ft values is at most dnk 2 . Therefore, there exists a good ft in 
U. 

For any ft € U\B, we know that tyg preserves rk(L(g) Uradsp(p)) = rk(radsp(p)). Thus, by the 
proof of Lemma El ^ g preserves g £ (p). In other words, ^g(g) ^ (^g(p)}. We get a contradiction 
with the following claim. 

Claim 12 CWse ft £ U \ B. If ^ g{C) = 0, i/ien G 

Proof. Observe that C$ = (mod p), implying ^ g{C^) = (mod ^g(p)). We get = ^g(C) = 
tyg(C\i\)+ tyg(Cuy). Going modulo p and applying Equation flU), ^(Tj+i) = (mod ^g(p)). In 
terms of ideals, ^(Tj+i) G (^(p)}. Consider any form ^ G L(Tj+i) such that I £ radsp(p). We 
will show that ^g(T i+1 )/^g(£) G 

We have rk({£} U radsp(p)) = rk(radsp(p)) + 1, by the choice of I. Since ft £ B, rk({®g(£)} U 
radsp(* /3 (p))) = rk(radsp(*^(p))) + 1. This implies ^ g{£) £ radsp(^(p)). Since ^fg(T i+1 ) G 
($?g(p)), Lemma [TUI tells us that ^ g{Ti + i) g{£) G (^g(p)}. We can iteratively repeat this process 
for all such forms £. We will end up with ^g(g) G (^(p)). ■ 
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4.3 The final hitting set 

Let (k,d,n) be the triple of natural numbers given in the input. We design a simple hitting set T~L. 
We will generate a set of vectors 5 £ F n that make "H. 

• Let S C F be an arbitrary set of size dnk 2 + 1. 

• Let T C F be an arbitrary set of size d + 1. 

• For each (3 € S and each vector (71, . . . , 7^) £ T fc , define the vector 5 in F n as follows: 

ie[k] 

We will use the classical Schwartz-Zippel theorem. 

Theorem 13 (Schwartz-Zippel) Let f(yi, ■ ■ ■ ,yk) be a polynomial of degree d. Let T be a finite 
subset o/F. The probability that f is zero on a random point in T k is at most d/\T\. 
Thus, for \T\ > d, T k is a hitting set for all k-variate polynomials of degree d. 

We are now all set to finish the proof of Theorem [3l 

Theorem 14 The set H is a hitting set for TiHYl(k,d, n) circuits. It can be generated in poly{nd k ) 
time. 

Proof. The latter statement is quite clear, given the construction of %. Consider a non-zero 
SIIS(fc,d, n) circuit C. We need to show the existence of some 5 € H such that C(5) 7^ 0. By 
Lemma [TT| there exists a f3 G S such that *^(C) 7^ 0. Since VPg(C) is a d, k) circuit, 

Theorem 1131 tells us that there is some 7 £ T k such that (C)(7) 7^ 0. Consider the 5 corresponding 
to this j3 and 7. By construction of 5 and the definition of ^> p (Equation [2]) , C(5) = ^(CXt") 7^ 0. 



5 Conclusion 

We show that SI1S(A;, d, n) identity is only as complicated as a Y,UY,(k,d, k) identity. We prove 
this fact by observing that there is a "low rank" homomorphism that preserves the ideal structure 
in depth-3 circuits. Since this low rank homomorphism is easily computable, we get a poly(nd fc ) 
time blackbox test. Can we identify properties of /c-variate fanin k identities to develop faster PIT 
algorithms? Currently, no PIT algorithm is able to beat the exponential dependence on k. 

This work also raises a question for depth-4 circuits: are there analogous low rank homomor- 
phisms for Snsn(/c) circuits? Such results would open the door for interesting PIT algorithms for 
higher depth circuits. 

Can this approach be used beyond PIT? In particular, there are results known about learning 
SnS(fe) circuits where PIT methods have turned out to be useful [KS09aJ. The variable reduction 
techniques might have some utility for these problems. 
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A A Vandermonde-inspired Linear Transformation 

Lemma [3 Let ^ p : 7Z 1Z' be the linear homomorphism defined by Equation (J2|). Let S C L(TZ) 
be a subset of linear forms with rk(5) < k. For all but nk 2 values of f3, rk(^ p(S)) = rk(S'). 

The homomorphism ^p depends solely on the triple of natural numbers (k,d,n) and is com- 
putable in poly(kdn) time. 

Proof. We can assume wlog that S is of rank k, and has k linearly independent forms £i,...,£). £ 
L(TZ). Say ^> p maps li = J2je[n] a i,j x j *° Ylje[k] ^ijUj, for all i £ [k]. Define matrices B : = 
i( b i,j))ie[k],j&[k] and A := ((oij))i e [fc]j e [ n ]- By Equation (fTJ) we deduce B = A ■ V n;k - We will show 
that B is invertible. 

Since the rows of A are linearly independent over F, we can apply partial Gaussian elimination 
(i.e. row operations) on A. This has the effect of le/i-multiplying A by an invertible matrix E € 
jpfcxfc ensur i n g : there are column indices ji > . . . > G [n] such that ji is the maximal index with 
(EA)ij i ^ 0, for all i € [A;]. Now we consider the matrix B' := (EA) ■ V n ,ki 

det(B') = sgn(<T) • P a ((3), where P a {fi) := ]J B'^. 
o-es fc ie[k] 

Note that we view B^,^ as a polynomial in F[/3] which, by the assumption on EA, is of degree 
ji ■ a(i). Thus, 

deg(P a ((3)) = J> •*(*). 

ie[k] 

Since j\ > ... > jk, it can be easily shown that the expression above achieves its maxima (over 
a € Sk) only if er(l) > . . . > a(k). But this uniquely specifies a, hence there is a unique P a (ft) of 
the largest degree (< nk 2 ). Thus, det(B') is a nonzero polynomial in F[/3] of degree at most nk . 
This means that B' is invertible, hence B = E~ 1 B' is invertible, for all but at most nk 2 values of 
P- ■ 

B A Cancellation Lemma 

An / G 1Z is called a zerodivisor of an ideal / (or mod I) \i f £ I and there exists a g G 1Z \ I such 
that fg € /. 

Let u,u £ K. It is easy to see that if u is nonzero mod / and is a non-zero divisor mod / then: 
uv & I iff v € I. This can be seen as some sort of a "cancellation rule" for non-zerodivisors. We 
show such a cancellation rule in the case of ideals arising in ELTS circuits. 
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Lemma 1101 Let ft, . . . ,f m be multiplication terms generating an ideal /, let £ G L{JZ) and g G 1Z. 
If£<£ radsp(I) then: £g G I iff g G I. 

Proof. Assume £ ^ radsp(I). If / = {0} then the lemma is of course true. So let us assume 
that / ^ {0} and rk(radsp(/)) =: r G [n — 1]. As £ £ radsp(I) there exists an invertible linear 
transformation r : L(7?.) — > L(72.) that maps each form of radsp(I) to sp(xi, . . . ,x r ) and maps £ to 
x n . Now suppose that £g G I. This means that there are qt, . . . , q m G TZ such that £5 = Yli=t Qifi- 
Apply r on this to get: 

m 

1=1 

We know that r(/j)'s are free of x n . Express 5', g--s as polynomials wrt x n , say 

5' = a j x in where aj G F[xi, . . . , x n _i] (6) 
i>o 

= ^ where b itj G F[xi, . . . , a; n _i] (7) 

i>o 

Now for some d > 1 compare the coefficients of on both sides of Equation (0). We get a^-t = 
£™i Kd T (fi)> tnus and ad-ixi" 1 are in (r(/i), . . . ,r(f m )). Doing this for all d > 1, we get 
g' G (t(/i), . . . , r(/ m )), hence c? = t -1 ^') G {ft, . . . , f m ) = I. This finishes the proof. ■ 
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